WordPress security tips to recover WordPress hacked website and lockdown WordPress in case of an emergency.

Last Updated on February 14th, 2019

WordPress security is a very important aspect of WordPress. Without proper WordPress security, you can never be sure about your business’s success. Internet live stats states that about 70000 websites get hacked every day on average. Sometimes it is wise to go 100% on security.

In this tutorial, we are covering the essential steps to lockdown WordPress in case of an emergency.

Since more than 32% of websites use WordPress to publish content every day, WordPress is targeted more for hacking. One of the most common reasons of websites getting hacked is using outdated software.

Is WordPress Secure?

The WPScan Vulnerability Database finds out that more than 70% vulnerabilities happen due to out-of-date software. The most vulnerable versions of WordPress are all way back in WordPress version 3.X.

It is evident that WordPress has improved a lot in security. However, how do you know you whether have you been able to secure WordPress or not?

Well, you don’t.

There are always new ways of hacking and phishing. All you can do is taking a good preparation. Also, be certain to follow the best WordPress security tips. Although, if you feel that your website has already been compromised, follow this tutorial

Lockdown WordPress in Case of an Emergency

Sometimes it’s a good idea to lockdown WordPress. When you know you are in a high risk of getting hacked, our WordPress Pros suggest that you should lockdown WordPress for a while.

One of the worst security vulnerabilities is backdoors. Backdoor vulnerabilities give hackers the ability to bypass security to obtain access to WordPress websites. Backdoor vulnerabilities can be exploited using – SFTP, FTP, wp-admin etc. According to Sucuri, 71% malware were backdoors out of all the hacking attempts in 2017.

1. USE DISALLOW FILE EDIT on wp-config.php

If you want to harden the security of your website and secure WordPress from any frontend injections, you need to add DISALLOW_FILE_EDIT', true parameter in your wp-config.php file.

This is very helpful when a site gets hacked or in danger of getting hacked.

Open your wp-config.php file and add the following line after the opening <?php tag.

define( 'DISALLOW_FILE_EDIT', true);

2. Use Latest PHP Version

The most crucial WordPress site security factor is PHP. PHP is the spine of your WordPress site. It is vital and absolutely crucial that you use the latest version of PHP on your server. PHP 7.3 is the latest PHP version as of writing the article and we recommend using the latest PHP version always.

However, according to WordPress Stats, only a mere 0.3% users are using the latest version of PHP.

Every PHP version is usually supported for two years after its release. As of right now, PHP versions below 5.6 has no security support and are vulnerable to security threats. However, the stats show that more than 34% of people are still using PHP 5.2, which is kind of sad.

If you are using cPanel, take a look on how to change the PHP version in cPanel

3. Check Existing Users in Your WordPress Dashboard

If you suspect that hackers have already logged into your WordPress system, go to Users>>All Users.

From the list, try finding if there’s any unknown users registered on your system. If you find out that are unfamiliar to you, delete those users ASAP.

Make sure there are no unfamiliar users on that list.

4. Use A Strong Password

One of the common WordPress security tips that you will find in every blog is using a strong and clever password. It’s okay if you use a memorable password on your social and email accounts but when you are managing your own website with Administrator privilege (Companion read: WordPress User Permissions, Explained), make sure you use a strong password.

You can use services like LastPass, Bitwarden (an open source alternative to LastPass), 1Password to generate a strong password with numerics, capital letter, small letter, and symbols. These password managers can also save your password behind a master password for your convenience.

5. Update WordPress Core, Plugins and Themes

However, an independent survey from Wordfence found out that more than 60% of the webmasters say attackers gain access of their site via plugin or themes.

Updating WordPress plugins and themes can be an excellent choice. Sure, that would consume some CPU always in the background, but it is worth it. Check our guide on How to Manage WordPress Automatic Updates Like a Pro to learn how you can automate updates in WordPress.

Takeaway: Wordfence recently reported that a vulnerability in AMP for WordPress plugin could make the way for XSS (cross-site scripting) affecting almost 100,000 websites where the plugin has been active.

6. Replace WordPress Core Files

If you find out that your site has been compromised but can’t find out how to solve it, follow this simple procedure.

If your WordPress site is hacked, and you are wondering how to fix it – try replacing your WordPress core files.

Following this procedure will make sure you get your site working again (without any malware). If you are replacing WordPress core files, make sure you have already done step 1 as mentioned in the article.

Upload the newly created WordPress zip file and extract them in your root folder.

See the following video to replace WordPress core files manually.

Takeaway: The procedure replaces all existing files of your WordPress installation except those in the wp-content folder. Usually, hackers place malicious files in the wp-includes folder. Replacing all WordPress core files will make sure that your WordPress installation is clean and malware free.

7. Do a WordPress Security Scan

WordPress Security scans are a good way to find out how exactly your site has been compromised. However, most of the WordPress security scans are paid. Here’s a list of websites where you can schedule a free WordPress Security Scan.